Tue Dec 27 03:19:14 UTC 2005 Michael Allan * Escape patch names. When patch names used in HTML, escape characters like '<'. diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi --- old-darcsweb/darcsweb.cgi 2014-04-25 21:08:16.000000000 +0000 +++ new-darcsweb/darcsweb.cgi 2014-04-25 21:08:16.000000000 +0000 @@ -1012,7 +1012,7 @@ 'author': shorten_str(p.shortauthor, 26), 'myrname': config.myreponame, 'hash': p.hash, - 'name': shorten_str(p.name), + 'name': escape(shorten_str(p.name)), 'fullname': escape(p.name), } print "" @@ -1263,7 +1263,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), } dsrc = p.getdiff() @@ -1287,7 +1287,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), } dsrc = get_darcs_diff(phash) @@ -1316,7 +1316,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), } dsrc = get_patch_headdiff(phash) @@ -1341,7 +1341,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), } dsrc = get_darcs_headdiff(phash) @@ -1368,7 +1368,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), 'fname': fname, } @@ -1393,7 +1393,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), 'fname': fname, } @@ -1416,7 +1416,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), 'fname': fname, } @@ -1442,7 +1442,7 @@ """ % { 'myreponame': config.myreponame, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), 'fname': fname, } @@ -1478,12 +1478,12 @@ 'local_date': p.local_date_str, 'date': p.date_str, 'hash': p.hash, - 'name': p.name, + 'name': escape(p.name), } if p.comment: c = p.comment.replace('\n', '
\n') print '
' - print p.name, '

' + print escape(p.name), '

' print c print '
'